This guides walks though the setup for Single Sign On (SSO) in Cloud Control Center using Okta Identity.
Three main components are required to successfully configure SSO using Okta Identity.
1. Create and Assign User Roles
2. Adding Elisity Cloud Control Center Application in Okta
3. Configure Okta SSO within Cloud Control Center (Two Methods)
Note: You can create custom mappings from groups within your SSO directory to user roles in Cloud Control Center. It is recommended to set up these role mapping configurations if you are planning on using Role-Based Access Control (RBAC) in Cloud Control Center, which enables powerful access control to various scopes such as Users, Devices, Policies, Virtual Edges, Settings, and more.
Step 1 - Create User Groups in Okta
First we will create user groups in Okta - TenantAdmin and TenantUser in this example. These two user groups are the default roles in Cloud Control Center.
Remember, you can create custom mappings from existing user groups to user roles at any time.
Navigate to Directory -> Groups and select Add group
Give your user groups the appropriate names and descriptions. These user groups are used to authorize users in Cloud Control Center, so be sure that the Name syntax matches the images below exactly.
Now that our groups are created, we will be able to quickly assign them to our Application defined in Okta that we are going to create in the next step.
Step 2 - Create App Integration in Okta
Go to the Applications dashboard in Okta and click Create App Integration.
Note that the screenshots are created in Developer Edition and may vary from customer portals.
Next, Select OIDC - OpenID Connect option, select Web Application as your application, and click Next.
Give the application a name such as 'Elisity SSO'. Under Grant Type, click the check box for the Refresh Token option. Leave the redirect URLs as the default options for now; we will modify the sign-in redirect URI in a later step.
Under Assignments, Select Limit access to selected groups and choose the two user groups we created previously - TenantAdmin and TenantUser.
Here is where you can also add any further user groups that you would like to map to user roles within Cloud Control Center. See how to map SSO groups to user roles.
Click the Save button after all options have been submitted.
Step 3 - Modify Sign-In Redirect URI in Okta
After saving the application settings, open the application information and copy the Client ID and Client Secret into your notepad for later.
Scroll down to the application general settings, and click edit. Scroll down to the LOGIN section that contains the sign-in redirect URls.
Replace the existing Sign-In Redirect URI (Reply URL) with URI found in the Cloud Control Center SSO configuration.
Click Save after appropriately modifying the URI.
Step 4 - Create an API Role in Okta
Expand the Security drop-down in the left pane, then click API (the last item in the list).
Copy Issuer URI value for required (usually 'default') Authorization Server into the notepad where we saved the Client ID and Client Secret for later use.
Edit the settings of the Default Authorization Server by clicking the name default on the left or by clicking the edit icon to the right.
Enter the following options for the new claim:
Enter 'UserRole' for Name
For Include in token type select ID token and Always
Select Groups for Value type
For Filter select Matches regex and .* as regex
For Include in select The following scopes option, then type 'openid'
Before finalizing our SSO integration, we can quickly add our Key-Value to User Role configurations within Cloud Control Center. Recall the API role that we configured in Okta for our CCC Application registration. We use a Key-Value pair for these API calls where the key is "UserRole" and the value type is user groups filtered by a matching regex in Okta. Any groups in Okta that are assigned to the Application Integration for Cloud Control Center are eligible to be mapped to a role in Cloud Control Center. Creating these configurations is very simple.
Go to Settings > Admin > SSO Configuration > Role Configuration
For any and every user group that you would like to map to a role in Cloud Control Center, you need to create a mapping here. If you copied the syntax for the Key-Value pairs in this guide, the default User Roles should look exactly like this:
|USER ROLE (pre-defined)
Any additional user groups you would like to map to custom roles can also be configured here. They should use the same key (Key = "UserRole") unless you configured your key-value differently. Note that the "Key" string in CCC is case-sensitive, meaning if you used "UserRole" as your role key in Okta, it must match exactly in Cloud Control Center. The "Value" field should also match exactly the syntax of user groups assigned to your CCC Application within your IDP. You can then assign to any custom role you have created to effectively enable Role-Based Access Control for Cloud Control Center. An example might look like this:
In this example we are restricting SSO users who are a member of the NetworkAdmin group to ONLY the Virtual Edge page.
Final Step: Configure Okta SSO within Cloud Control Center
Method 1: Using the Discovery Endpoint for Okta SSO
Before using this method, you need to ensure that your Elisity Application and User Roles are already created in Okta SSO. If they are not, navigate to the respective sections to fulfill these requirements first.
Accessing SSO Configuration in CCC:
- Sign into Cloud Control Center (CCC) with an admin account that has permissions to make SSO configuration changes.
- Navigate to the settings page, then go to the Admin dropdown and select the SSO configuration tab. Make sure that "Use discovery endpoint" is toggled to use this method.
Obtaining the Discovery Endpoint:
- The Discovery Endpoint for Okta SSO can be obtained by appending “.well-known/openid-configuration” to the Okta issuer URL.
- Example: If the Okta issuer URL is
https://<Okta-Domain>/idp, then the Discovery Endpoint would be
Populating Metadata Automatically:
- Click on the "DISCOVER" button within the CCC SSO configuration page. This action will automatically populate all the Metadata fields required for Okta SSO integration.
Acquiring Client ID and Secret:
- Obtain the Client ID and Secret from your Okta SSO setup. These are essential credentials for the integration.
Setting up Redirect URI (Reply URL):
- The Redirect URI needed for Okta SSO configuration will be displayed in the Redirect URI box within the CCC.
- This URI must be configured in your Okta SSO setup to ensure proper redirection after authentication.
By following these steps, users can easily configure Okta SSO with Elisity's Cloud Control Center using the Discovery Endpoint method. This method simplifies the process by automating the metadata population, reducing the potential for errors during manual entry. It's important that the user verifies the correctness of the automatically populated fields to ensure a seamless integration with Okta SSO.
Method 2: Manually Entering Metadata
You can optionally choose to bypass the Discovery Endpoint method and manually enter all the required configurations in Cloud Control Center. Toggle off the "Use discovery endpoint" button, and you will have access to manually enter the following fields:
- Redirect URI (Reply URL): The callback location where the SSO provider will send the user after authentication. This can be found in Cloud Control Center.
- Client ID: The unique identifier assigned to your application by the SSO provider. This value can be found by following the guide above.
- Client Secret: A confidential secret used by your application to authenticate with the SSO provider. This value can be found by following the guide above.
- Token Endpoint: The URL used by the application to exchange an authorization code for an access token.
- Authorization Endpoint: The URL used to initiate the user authorization process.\
- JSON Web Key Set (JWKS) URI: The URL pointing to a set of public keys used to verify the signature of JSON Web Tokens.
- User Information Endpoint: The URL from which the application can retrieve user profile information.
- Issuer: The URL that uniquely identifies the authorization server that issued the token. This value can be found by following the guide above.
Refer to Okta Identity documentation on how to retrieve the values for manual configuration that are not covered in this document.
Okta SSO Integration Completed
You should now be able to login to Cloud Control Center using SSO with Okta for users who have the appropriate attributes applied. Simply click "Login with SSO" and input user your credentials from Okta.